b'                                                     U.S. OFFICE OF PERSONNEL MANAGEMENT\n                                                           OFFICE OF THE INSPECTOR GENERAL\n                                                                            OFFICE OF AUDITS\n\n\n\n\n                                   Final Audit Report\n\nSubject:\n\n\n  AUDIT OF THE INFORMATION TECHNOLOGY\n          SECURITY CONTROLS OF THE\n  U.S. OFFICE OF PERSONNEL MANAGEMENT\xe2\x80\x99S\n  PERSONNEL INVESTIGATIONS PROCESSING\n                   SYSTEM\n                    FY 2013\n                                           Report No. 4A-IS-00-13-022\n\n\n                                           Date:                  June 24, 2013\n\n\n\n\n                                                          --CAUTION--\nThis audit report has been distributed to Federal officials who are responsible for the administration of the audited program. This audit\nreport may contain proprietary data which is protected by Federal law (18 U.S.C. 1905). Therefore, while this audit report is available\nunder the Freedom of Information Act and made available to the public on the OIG webpage, caution needs to be exercised before\nreleasing the report to the general public as it may contain proprietary information that was redacted from the publicly distributed copy.\n\x0c                                                       Audit Report\n\n\n                              U.S. OFFICE OF PERSONNEL MANAGEMENT\n                               -------------------------------------------------------------\n\n                   AUDIT OF THE INFORMATION TECHNOLOGY SECURITY\n                      CONTROLS OF THE U.S. OFFICE OF PERSONNEL\n                      MANAGEMENT\xe2\x80\x99S PERSONNEL INVESTIGATIONS\n                                  PROCESSING SYSTEM\n                                             FY 2013\n                                  --------------------------------\n                                    WASHINGTON, D.C.\n\n\n\n\n                                           Report No. 4A-IS-00-13-022\n\n\n                                          Date:                  June 24, 2013\n\n\n\n\n                                                                                     ______________________\n                                                                                     Michael R. Esser\n                                                                                     Assistant Inspector General\n                                                                                        for Audits\n                                                          --CAUTION--\nThis audit report has been distributed to Federal officials who are responsible for the administration of the audited program. This audit\nreport may contain proprietary data which is protected by Federal law (18 U.S.C. 1905). Therefore, while this audit report is available\nunder the Freedom of Information Act and made available to the public on the OIG webpage, caution needs to be exercised before\nreleasing the report to the general public as it may contain proprietary information that was redacted from the publicly distributed copy.\n\x0c                                  Executive Summary\n\n                      U.S. OFFICE OF PERSONNEL MANAGEMENT\n                       -------------------------------------------------------------\n\n              AUDIT OF THE INFORMATION TECHNOLOGY SECURITY\n                 CONTROLS OF THE U.S. OFFICE OF PERSONNEL\n                 MANAGEMENT\xe2\x80\x99S PERSONNEL INVESTIGATIONS\n                             PROCESSING SYSTEM\n                                        FY 2013\n                             --------------------------------\n                               WASHINGTON, D.C.\n\n\n\n\n                                Report No. 4A-IS-00-13-022\n\n\n                                Date:             June 24, 2013\n\n\nThis final audit report discusses the results of our audit of the information technology security\ncontrols of the U.S. Office of Personnel Management\xe2\x80\x99s (OPM) Personnel Investigations\nProcessing System (PIPS). Our conclusions are detailed in the \xe2\x80\x9cResults\xe2\x80\x9d section of this report.\n\nSecurity Assessment and Authorization (SA&A)\nAn SA&A of PIPS was completed in June 2011. We reviewed the authorization package for all\nrequired elements of an SA&A, and determined that the package contained all necessary\ndocumentation.\n\nFederal Information Processing Standards (FIPS) 199 Analysis\nThe security categorization of PIPS appears to be consistent with FIPS 199 and National Institute\nof Standards and Technology (NIST) Special Publication (SP) 800-60 requirements, and we\nagree with the categorization of \xe2\x80\x9chigh.\xe2\x80\x9d\n\n\n\n\n                                                    i\n\x0cSystem Security Plan (SSP)\nThe PIPS SSP contains the critical elements required by NIST SP 800-18. However, several\ncontrols listed in the SSP as common or inherited are inappropriately labeled.\n\nRisk Assessment\nA risk assessment was conducted for PIPS as a part of their 2011 SA&A. All major elements\noutlined in the NIST guidance were addressed.\n\nIndependent Security Control Testing\nA security control assessment was completed for PIPS in April 2011 as a part of the system\xe2\x80\x99s\nSA&A process. As a result of the inappropriately labeled controls in the SSP, the Bureau of\nPublic Debt inappropriately removed these controls from its security control test plan, and these\ncontrols have not been adequately tested.\n\nSecurity Control Self-Assessment\nFederal Investigative Services implemented an Information Security Continuous Monitoring\nPlan that addresses the annual self-assessment requirements. However, the security plan\ninappropriately labels several controls as common or inherited, thus impacting the ability of FIS\nto appropriately implement and test the PIPS controls.\n\nContingency Planning and Contingency Plan Testing\nA contingency plan was developed for PIPS that is in compliance with NIST SP 800-34 and is\ntested annually.\n\nPrivacy Impact Assessment (PIA)\nA privacy threshold analysis was conducted for PIPS and indicated that a PIA was required. A\nPIA was conducted in June 2011.\n\nPlan of Action and Milestones (POA&M) Process\nThe PIPS POA&M is routinely submitted to the Office of the Chief Information Officer for\nevaluation and generally follows the format of the OPM POA&M guide, with a few exceptions\nregarding the level of detail required by the OPM guide. However, there are a substantial\nnumber of significantly over due POA&M items.\n\nNIST SP 800-53 Evaluation\nWe evaluated the degree to which a subset of the IT security controls outlined in NIST SP 800-\n53 Revision 3 was implemented for PIPS and found no issues beyond those previously\nidentified.\n\n\n\n\n                                                ii\n\x0c                                                                 Contents\n                                                                                                                                               Page\n\nExecutive Summary ......................................................................................................................... i\nIntroduction ......................................................................................................................................1\nBackground ......................................................................................................................................1\nObjectives .........................................................................................................................................1\nScope and Methodology ...................................................................................................................2\nCompliance with Laws and Regulations ..........................................................................................3\nResults ..............................................................................................................................................4\n   I.         Security Assessment and Authorization ...........................................................................4\n   II.        FIPS 199 Analysis.............................................................................................................4\n   III.       System Security Plan ........................................................................................................4\n   IV.        Risk Assessment ...............................................................................................................5\n   V.          Independent Security Control Testing ..............................................................................6\n   VI.        Security Control Self-Assessment ....................................................................................6\n   VII.       Contingency Planning and Contingency Plan Testing......................................................7\n   VIII.      Privacy Impact Assessment ..............................................................................................7\n   IX.        Plan of Action and Milestones Process .............................................................................7\n   X.         NIST SP 800-53 Evaluation..............................................................................................9\nMajor Contributors to this Report ..................................................................................................10\nAppendix A: Federal Investigative Services\xe2\x80\x99 April 25, 2013 response to the draft audit report,\nissued March 1, 2013\n\x0c                                        Introduction\nOn December 17, 2002, President Bush signed into law the E-Government Act (P.L. 107\xe2\x80\x91347),\nwhich includes Title III, the Federal Information Security Management Act (FISMA). It requires\n(1) annual agency program reviews, (2) annual Inspector General (IG) evaluations, (3) agency\nreporting to the Office of Management and Budget (OMB) the results of IG evaluations for\nunclassified systems, and (4) an annual OMB report to Congress summarizing the material\nreceived from agencies. In accordance with FISMA, we audited the information technology (IT)\nsecurity controls related to the Office of Personnel Management\xe2\x80\x99s (OPM) Personnel\nInvestigations Processing System (PIPS).\n\n                                        Background\nOPM\xe2\x80\x99s Federal Investigative Services (FIS) has ownership of PIPS. PIPS is utilized to process\nhundreds of thousands of background investigations each year. The system contains the OPM\nSecurity/Suitability Investigations Index and maintains approximately 15 million records of\ninvestigations conducted by and for OPM, the Federal Bureau of Investigations, the U.S.\nDepartment of State, the Secret Service, and other customer agencies. The PIPS system\ninterfaces with several other FIS systems to process applications and the flow of data relies on\nboth the OPM Local Area Network / Wide Area Network (LAN/WAN) and Enterprise Server\nInfrastructure (ESI) general support systems. As a function of oversight, the Office of the Chief\nInformation Officer (OCIO) assigned an Information System Security Officer (ISSO) to manage\na variety of security functions on behalf of FIS.\n\n                                         Objectives\nOur objective was to perform an evaluation of the security controls for PIPS to ensure that FIS\nhas implemented IT security policies and procedures in accordance with standards established by\nFISMA, the National Institute of Standards and Technology (NIST), the Federal Information\nSystem Controls Audit Manual (FISCAM), and OPM\xe2\x80\x99s OCIO.\n\nOPM\xe2\x80\x99s IT security policies require managers of all major information systems to complete a\nseries of steps to (1) certify that their system\xe2\x80\x99s information is adequately protected and (2)\nauthorize the system for operations. The audit objective was accomplished by reviewing the\ndegree to which a variety of security program elements have been implemented for PIPS,\nincluding:\n\n\xe2\x80\xa2   Security Assessment and Authorization;\n\xe2\x80\xa2   FIPS 199 Analysis;\n\xe2\x80\xa2   System Security Plan;\n\xe2\x80\xa2   Risk Assessment;\n\xe2\x80\xa2   Independent Security Control Testing;\n\xe2\x80\xa2   Security Control Self-Assessment;\n\xe2\x80\xa2   Contingency Planning and Contingency Plan Testing;\n\xe2\x80\xa2   Privacy Impact Assessment;\n\xe2\x80\xa2   Plan of Action and Milestones Process; and\n\n                                                1\n\x0c\xe2\x80\xa2   NIST Special Publication 800-53 Security Controls.\n\n                                Scope and Methodology\nThis performance audit was conducted in accordance with Government Auditing Standards,\nissued by the Comptroller General of the United States. Accordingly, the audit included an\nevaluation of related policies and procedures, compliance tests, and other auditing procedures\nthat we considered necessary. The audit covered FISMA compliance efforts of FIS, including IT\nsecurity controls in place as of January 2013.\n\nWe considered the PIPS internal control structure in planning our audit procedures. These\nprocedures were mainly substantive in nature, although we did gain an understanding of\nmanagement procedures and controls to the extent necessary to achieve our audit objectives.\n\nTo accomplish our objectives, we interviewed representatives of OPM with security\nresponsibilities for PIPS. We reviewed relevant OPM IT policies and procedures, federal laws,\nOMB policies and guidance, and NIST guidance. As appropriate, we conducted compliance\ntests to determine the extent to which established controls and procedures are functioning as\nrequired.\n\nDetails of the security controls protecting the confidentiality, integrity, and availability of PIPS\nare located in the \xe2\x80\x9cResults\xe2\x80\x9d section of this report. Since our audit would not necessarily disclose\nall significant matters in the internal control structure, we do not express an opinion on the PIPS\nsystem of internal controls taken as a whole.\n\nThe criteria used in conducting this audit include:\n\xe2\x80\xa2   OPM Information Security and Privacy Policy Handbook;\n\xe2\x80\xa2   OMB Circular A-130, Appendix III, Security of Federal Automated Information Resources;\n\xe2\x80\xa2   E-Government Act of 2002 (P.L. 107-347), Title III, Federal Information Security\n    Management Act of 2002;\n\xe2\x80\xa2   The Federal Information System Controls Audit Manual;\n\xe2\x80\xa2   NIST SP 800-12, An Introduction to Computer Security;\n\xe2\x80\xa2   NIST SP 800-18 Revision 1, Guide for Developing Security Plans for Federal Information\n    Systems;\n\xe2\x80\xa2   NIST SP 800-30, Risk Management Guide for Information Technology Systems;\n\xe2\x80\xa2   NIST SP 800-34, Contingency Planning Guide for Information Technology Systems;\n\xe2\x80\xa2   NIST SP 800-37, Guide for the Security Certification and Accreditation of Federal\n    Information Systems;\n\xe2\x80\xa2   NIST SP 800-53 Revision 3, Recommended Security Controls for Federal Information\n    Systems;\n\xe2\x80\xa2   NIST SP 800-60 Volume II, Guide for Mapping Types of Information and Information\n    Systems to Security Categories;\n\xe2\x80\xa2   NIST SP 800-84, Guide to Test, Training, and Exercise Programs for IT Plans and\n    Capabilities;\n\n\n\n                                                 2\n\x0c\xe2\x80\xa2   Federal Information Processing Standards Publication (FIPS) 199, Standards for Security\n    Categorization of Federal Information and Information Systems; and\n\xe2\x80\xa2   Other criteria as appropriate.\n\nIn conducting the audit, we relied to varying degrees on computer-generated data. Due to time\nconstraints, we did not verify the reliability of the data generated by the various information\nsystems involved. However, nothing came to our attention during our audit testing utilizing the\ncomputer-generated data to cause us to doubt its reliability. We believe that the data was\nsufficient to achieve the audit objectives. Except as noted above, the audit was conducted in\naccordance with generally accepted government auditing standards issued by the Comptroller\nGeneral of the United States.\n\nThe audit was performed by the OPM Office of the Inspector General, as established by the\nInspector General Act of 1978, as amended. The audit was conducted from November 2012\nthrough January 2013 in OPM\xe2\x80\x99s Washington, D.C. office. This was our first audit of the security\ncontrols surrounding PIPS.\n\n                    Compliance with Laws and Regulations\nIn conducting the audit, we performed tests to determine whether FIS\xe2\x80\x99 management of PIPS is\nconsistent with applicable standards. Nothing came to our attention during this review to\nindicate that the FIS is in violation of relevant laws and regulations.\n\n\n\n\n                                               3\n\x0c                                              Results\n I. Security Assessment and Authorization\n    A Security Assessment and Authorization (SA&A) of PIPS was completed in June 2011.\n\n    OPM\xe2\x80\x99s Chief Information Security Officer reviewed the PIPS SA&A package and signed\n    the system\xe2\x80\x99s authorization letter on July 19, 2011. The system\xe2\x80\x99s authorizing official signed\n    the letter and authorized the continued operation of the system on July 24, 2011.\n\n    NIST SP 800-37 \xe2\x80\x9cGuide for the Security Certification and Accreditation of Federal\n    Information Systems,\xe2\x80\x9d provides guidance to federal agencies in meeting security\n    accreditation requirements. The PIPS SA&A appears to have been conducted in compliance\n    with NIST requirements.\n\nII. FIPS 199 Analysis\n    FIPS Publication 199, Standards for Security Categorization of Federal Information and\n    Information Systems, requires federal agencies to categorize all federal information and\n    information systems in order to provide appropriate levels of information security according\n    to a range of risk levels.\n\n    NIST SP 800-60 Volume II, Guide for Mapping Types of Information and Information\n    Systems to Security Categories, provides an overview of the security objectives and impact\n    levels identified in FIPS Publication 199.\n\n    The PIPS FIPS 199 categorizes information processed by the system and its corresponding\n    potential impacts on confidentiality, integrity, and availability. PIPS is categorized with a\n    high impact level for confidentiality and integrity and moderate for availability, resulting in\n    an overall categorization of high.\n\n    The security categorization of PIPS appears to be consistent with FIPS 199 and NIST SP\n    800-60 requirements, and the OIG agrees with the categorization of high.\n\nIII. System Security Plan\n    Federal agencies must implement on each information system the security controls outlined\n    in NIST SP 800-53 Revision 3, Recommended Security Controls for Federal Information\n    Systems. NIST SP 800-18 Revision 1, Guide for Developing Security Plans for Federal\n    Information Systems, requires that these controls be documented in a System Security Plan\n    (SSP) for each system, and provides guidance for doing so.\n\n    The SSP for PIPS was created using a template that is outlined in the OPM SSP guide. The\n    SSP contains the majority of the elements outlined in NIST SP 800-18. However, during the\n    review of controls listed in the SSP as common or inherited it was determined that several\n    were inappropriately labeled. NIST 800-18 explains that common or inherited controls are\n    \xe2\x80\x9cthose controls covered at the agency level, which are not system-specific.\xe2\x80\x9d (9) NIST also\n    defines a common security control as having \xe2\x80\x9cthe following properties: (i) the development,\n\n                                                   4\n\x0c    implementation, and assessment of the control can be assigned to a responsible official or\n    organizational element (other than the information system owner); and (ii) the results from\n    the assessment of the control can be used to support the security certification and\n    accreditation processes of an agency information system where that control has been\n    applied.\xe2\x80\x9d Labeling controls incorrectly as common/inherited increases the likelihood that\n    controls are not properly implemented at the system level, which in turn increases the risk\n    that individuals can inappropriately access sensitive PIPS data.\n\n    Recommendation 1\n    We recommend that the PIPS ISSO, FIS, and the owners of the LAN/WAN and ESI,\n    collaborate to ensure that all controls listed on the PIPS SSP are appropriately categorized as\n    common, inherited, hybrid, or system specific.\n\n    FIS Response:\n    \xe2\x80\x9cFIS agrees with the recommendation to collaborate with the owners of LAN/WAN and\n    ESI to ensure all security controls are appropriately categorized. FIS does note that the\n    controls found within the Common Security Controls Collection (CSCC) are assessed and\n    validated by the Information Technology Security and Privacy (ITSP) for insertion into\n    this library for use amongst the various OPM systems as agency common controls. FIS\n    intends to meet with the LAN/WAN and ESI owners to come to a mutual agreement on\n    the control type and status for each control currently labeled as belonging to a control\n    provider.\xe2\x80\x9d\n\n    OIG Reply:\n    As part of the audit resolution process for this recommendation and all subsequent\n    recommendations to which FIS agrees, please provide OPM\xe2\x80\x99s Internal Oversight and\n    Compliance (IOC) division with evidence supporting the corrective action taken.\n\nIV. Risk Assessment\n    A risk assessment is used as a tool to identify security threats, vulnerabilities, potential\n    impacts, and probability of occurrence. In addition, a risk assessment is used to evaluate the\n    effectiveness of security policies and recommend countermeasures to ensure adequate\n    protection of information technology resources.\n\n    NIST SP 800-30, Risk Management Guide for Information Technology Systems, offers a\n    nine step systematic approach to conducting a risk assessment that includes: (1) system\n    characterization; (2) threat identification; (3) vulnerability identification; (4) control\n    analysis; (5) likelihood determination; (6) impact analysis; (7) risk determination; (8) control\n    recommendation; and (9) results documentation.\n\n    A risk assessment was conducted for PIPS as a part of their 2011 SA&A. All major\n    elements outlined in the NIST guidance were addressed.\n\n\n\n\n                                                   5\n\x0cV. Independent Security Control Testing\n    A security control assessment was completed for PIPS in April 2011 as a part of the\n    system\xe2\x80\x99s SA&A process. The security assessment was conducted by another government\n    agency, the Bureau of Public Debt (BPD). We reviewed the documentation resulting from\n    this test to ensure that it included a review of the appropriate management, operational, and\n    technical controls required for a system with a \xe2\x80\x9chigh\xe2\x80\x9d security categorization according to\n    NIST SP 800-53, Recommended Security Controls for Federal Information Systems.\n\n    The BPD appeared to adequately test the security controls that were within the scope of this\n    engagement. However, as mentioned in section III, above, the PIPS SSP incorrectly\n    identified several controls as common or inherited. As a result, the BPD inappropriately\n    removed these controls from its security control test plan, and these controls have not been\n    adequately tested. Prior to the next independent test of security controls, an appropriately\n    categorized list of security controls should be finalized as a result of Recommendation 1,\n    above.\n\nVI. Security Control Self-Assessment\n    FISMA requires that the IT security controls of each major application owned by a federal\n    agency be tested on an annual basis. In the years that an independent security assessment is\n    not being conducted on a system, the system\xe2\x80\x99s owner must conduct an internal self-\n    assessment of security controls. Furthermore, NIST SP 800-53 mandates the development\n    of a security assessment plan and outlines the required inclusions.\n\n    On October 1, 2012, FIS implemented an Information Security Continuous Monitoring\n    (ISCM) Plan that outlined an approach for testing all high volatility controls at a frequency\n    no less than quarterly and moderate/low volatility controls at a frequency no less than\n    annually. However, as mentioned in section III above, the FIS security plan inappropriately\n    labels several controls as common or inherited. The current ISCM cannot be fully\n    implemented until FIS identifies exactly which security controls are system specific and\n    need to be subject to continuous monitoring.\n\n    Failure to complete an appropriately scoped security controls test increases the risk that IT\n    security weaknesses are undetected and that FIS is unable to make informed judgments to\n    appropriately mitigate risks to an acceptable level.\n\n    Recommendation 2\n    We recommend that, after all controls on the SSP have been reviewed and appropriately\n    categorized, FIS ensure that a thorough test of security controls is completed for PIPS.\n\n    FIS Response:\n    \xe2\x80\x9cFIS agrees with the recommendation. Recognizing the concern identified by OIG with\n    possible improperly categorized security controls within the SSP, FIS will fully review all\n    security controls currently categorized as common or inherited and validate their\n    accuracy while collaborating with the control provider. FIS will update the SSP\n    accordingly based on this review, will include those found to be improperly categorized\n\n                                                   6\n\x0c      into the current ISCM plan and will re-test all security controls during the next\n      Assessment & Authorization cycle for PIPS (June 2014).\xe2\x80\x9d\n\nVII. Contingency Planning and Contingency Plan Testing\n      NIST SP 800-34, Contingency Planning Guide for IT Systems, states that effective\n      contingency planning, execution, and testing are essential to mitigate the risk of system and\n      service unavailability. OPM\xe2\x80\x99s security policies require all major applications to have viable\n      and logical disaster recovery and contingency plans, and that these plans be annually\n      reviewed, tested, and updated.\n\n      Contingency Plan\n      The PIPS contingency plan documents the functions, operations, and resources necessary to\n      restore and resume PIPS operations when unexpected events or disasters occur. The PIPS\n      contingency plan follows the format suggested by NIST SP 800-34 and contains a majority\n      of the suggested elements.\n\n      Contingency Plan Test\n      NIST SP 800-34 also provides guidance for testing contingency plans and documenting the\n      results. In addition, NIST SP 800-53 Control CP-3 requires system owners to \xe2\x80\x9ctrain\n      personnel in their contingency roles and responsibilities with respect to the information\n      system and provide refresher training.\xe2\x80\x9d\n\n      FIS conducted a test of the system\xe2\x80\x99s contingency plan in 2012. The testing documentation\n      includes the majority of elements suggested by NIST SP 800-83.\n\nVIII. Privacy Impact Assessment\n      FISMA requires agencies to perform a screening of federal information systems to\n      determine if a Privacy Impact Assessment (PIA) is required for that system. OMB\n      Memorandum M-03-22 outlines the necessary components of a PIA. The purpose of the\n      assessment is to evaluate any vulnerabilities of privacy in information systems and to\n      document any privacy issues that have been identified and addressed. The OPM Privacy\n      Impact Assessment Guide states that all OPM IT systems must have a Privacy Threshold\n      Analysis (PTA) which is utilized to determine if a PIA is required.\n\n      FIS completed a PTA of PIPS and determined that a PIA was required for this system. As\n      such, a PIA was completed in June of 2011 based on the guidelines contained in OPM\xe2\x80\x99s PIA\n      Guide.\n\n IX. Plan of Action and Milestones Process\n      A Plan of Action and Milestones (POA&M) is a tool used to assist agencies in identifying,\n      assessing, prioritizing, and monitoring the progress of corrective efforts for IT security\n      weaknesses. OPM has implemented an agency-wide POA&M process to help track known\n      IT security weaknesses associated with the agency\xe2\x80\x99s information systems.\n\n\n                                                    7\n\x0cThe OIG evaluated the PIPS POA&M and verified that it generally follows the format of\nOPM\xe2\x80\x99s standard template, and that updates are routinely submitted to OCIO for evaluation.\nHowever, the POA&M process is not being utilized effectively. The PIPS POA&M\ncontained 21 security weaknesses, 4 of which have remediation activities in excess of 365\ndays overdue and an additional 17 remediation activities in excess of 120 days overdue. In\naddition, the PIPS POA&M contains the following inconsistences with OPM\xe2\x80\x99s POA&M\nGuide:\n\xe2\x80\xa2   The OPM POA&M color scheme is not being properly utilized to address delayed and\n    late items;\n\xe2\x80\xa2   The \xe2\x80\x9cweakness\xe2\x80\x9d column for a significant number of items is missing the corresponding\n    NIST guidance associated with the identified weakness;\n\xe2\x80\xa2   The \xe2\x80\x9cestimated completion date\xe2\x80\x9d column is not being utilized appropriately to track\n    remediation efforts; and,\n\xe2\x80\xa2   The \xe2\x80\x9ccomments\xe2\x80\x9d column is not being properly utilized to track the mitigation efforts for\n    weaknesses and explain delayed items.\n\nFailure to appropriately use the POA&M processes to address known security weaknesses in\na timely manner increases the risk that someone could gain unauthorized access to the\nsystem or the data it contains.\n\nRecommendation 3\nWe recommend that FIS develop a detailed action plan for the remediation of all overdue\nPOA&M items.\n\nFIS Response:\n\xe2\x80\x9cFIS has, and will continue to provide a Corrective Action Plan (CAP) to OPM CIO\nITSP, which describes the prioritization of resources (personnel and funding) to resolve\nall POAMs over 120 days. The PIPS CAP is reviewed and updated each quarter and\nprovided to OPM CIO ITSP.\n\nFIS agrees to provide more detail in the POAM and/or POAM Milestones and will reflect\nthe specific detail appropriately into Trusted Agent FISMA (TAF).\xe2\x80\x9d\n\nRecommendation 4\nWe recommend that FIS revise its existing POA&M items to include the required level of\ndetail as explained in the OPM POA&M Guide.\n\nFIS Response:\n\xe2\x80\x9cFIS agrees with the need to increase the level of detail found within the existing POAMs.\nIt has been noted that the current OPM POAM Guide is a bit outdated (September 2009)\nand it does not accurately reflect the current business process creation, monitoring,\nupdating and closure of POA&Ms using the TAF application. FIS would request\nvalidation [that] the OPM POAM Guide has not changed the definition of \xe2\x80\x9crequired level\nof detail\xe2\x80\x9d since original publication.\xe2\x80\x9d\n\n                                              8\n\x0cX. NIST SP 800-53 Evaluation\n   NIST SP 800-53 Revision 3, Recommended Security Controls for Federal Information\n   Systems, provides guidance for implementing a variety of security controls for information\n   systems supporting the federal government. As part of this audit, we evaluated whether a\n   subset of these controls had been implemented for PIPS. During our review of the POA&M\n   process, we noted 21 open items which correspond to security controls that are not fully\n   implemented for PIPS. In addition, we independently tested several security controls\n   outlined in NIST SP 800-53 Revision 3 that are applicable to a FIPS 199 \xe2\x80\x9chigh\xe2\x80\x9d categorized\n   system. These controls were evaluated by interviewing individuals with PIPS security\n   responsibilities, reviewing documentation and system screenshots, and viewing\n   demonstrations of system capabilities.\n\n   Our testing did not identify any additional issues beyond those already noted on the PIPS\n   POA&M.\n\n\n\n\n                                                9\n\x0c                        Major Contributors to this Report\nThis audit report was prepared by the U.S. Office of Personnel Management, Office of\nInspector General, Information Systems Audits Group. The following individuals\nparticipated in the audit and the preparation of this report:\n\n\xe2\x80\xa2                  , Deputy Assistant Inspector General for Audits\n\xe2\x80\xa2                    , Senior Team Leader\n\xe2\x80\xa2               , Auditor-in-Charge\n\xe2\x80\xa2                         , IT Auditor\n\n\n\n\n                                            10\n\x0c                        United Sta tes Office of Personnel Manage ment\n\n\n\n\n\n   TO:\n\n           Chief, Information Systems Audit Group\n\n           Office of Personnel Management\n\n\n  FROM:\n\n           PIPS System Owne\n\n           Office of Personnel\n\n           Federal Investigative Services (FIS )\n\n\nSUBJECT:   Response to "Draft" FY2013 FISMA System Audit of PIPS\n\n\n           DIG Recommendation 1:\n\n           We recommend that the PIPS ISSO, FIS, and the owners of the LANIWAN and ESI , collaborate\n\n           to ensure that all cont rols listed on the PIPS SSP are appropriately categorized as common,\n\n           inherited, hybrid, or system specific.\n\n\n           FIS Response:\n\n           FIS agrees with the recommendation to collaborate with the owners of LANIW AN and ESI to\n\n           ensure all security controls are appropriately categorized. FIS does note that the controls found\n\n           within the Common Secur ity Controls Collection (CSCC) are assessed and validated by the\n\n           Informati on Techn olog y Securit y and Privacy (ITSP) for insertion into this library for use\n\n           amongst the variou s OPM systems as agency common control s. FIS intends to meet with the\n\n            with the LANIWAN and ESI owners to come to a mutual agreement on the control type and\n\n           status for each co ntrol curren tly labeled as belonging to a control provider.\n\n\n           DIG Recommendation 2:\n\n           We recommend that , after all controls on the SSP have been reviewed and appropriately\n\n           categorized, FIS ensure that a through test of security control s is completed for PIPS.\n\n\n           FIS Res po nse:\n\n           FIS agrees with the recommendation. Recogn izing the concern identified by OIG with possible\n\n           improperly categorized security controls within the SSP, FIS will fully review all security\n\n           controls currently catego rized as common or inherited and validate their accurac y while\n\n           collaborating with the control provider. FIS will update the SSP accordingly based on this\n\n           review , will include those found to be improperl y categorized into the current ISCM plan and\n\n           will re-test all security co ntrols durin g the next Assessment & Authorization cycle for PIPS (June\n\n           20 14).\n\n\n           DIG Recommendation 3:\n\n           We recommend that FIS devel op a detailed action plan for the remediation of all overdue POAM\n\n           items\n\n\x0cFrs Response:\n\nFrS has, and will co ntinue to provide a Corrective Action Plan (CAP) to OPM cro ITSP, which\n\ndescribes the prioritization of resources (personnel and funding) to resolve all POAMs over 120\n\ndays. The PIPS CAP is reviewed and updated each quarter and prov ided to OPM CIO ITSP.\n\n\nFrS agrees to provid e more detail in the POAM and/o r POAM Milestones and will reflect the\n\nspecific detail appropriately into Trusted Agent FrSMA (T AF).\n\n\nOIG Recommen da tion 4:\n\nWe recomm end that FrS revise its existing POAM items to include the requ ired level of detail as\n\nex plained in the OPM POAM Guide.\n\n\nFIS Response:\n\nFIS agrees with the need to increase the level of detail found within the existing POAMs. It has\n\nbeen noted that the current OPM POAM Guide is a bit outdated (September 2009) and it does\n\nnot accurately reflect the current business process of creation, monitoring, updating and closure\n\nof POA&M s using the TAF application. FrS would request validation the OPM POAM Guide\n\nhas not changed the definition of "required level of detail" since original pub lication.\n\n\x0c'